1 /* 2 * Copyright (C) 2017 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package com.android.server.locksettings.recoverablekeystore; 18 19 import static android.security.keystore.recovery.RecoveryController.ERROR_BAD_CERTIFICATE_FORMAT; 20 import static android.security.keystore.recovery.RecoveryController.ERROR_DECRYPTION_FAILED; 21 import static android.security.keystore.recovery.RecoveryController.ERROR_DOWNGRADE_CERTIFICATE; 22 import static android.security.keystore.recovery.RecoveryController.ERROR_INVALID_CERTIFICATE; 23 import static android.security.keystore.recovery.RecoveryController.ERROR_INVALID_KEY_FORMAT; 24 import static android.security.keystore.recovery.RecoveryController.ERROR_NO_SNAPSHOT_PENDING; 25 import static android.security.keystore.recovery.RecoveryController.ERROR_SERVICE_INTERNAL_ERROR; 26 import static android.security.keystore.recovery.RecoveryController.ERROR_SESSION_EXPIRED; 27 28 import android.Manifest; 29 import android.annotation.NonNull; 30 import android.annotation.Nullable; 31 import android.app.PendingIntent; 32 import android.content.Context; 33 import android.os.Binder; 34 import android.os.RemoteException; 35 import android.os.ServiceSpecificException; 36 import android.os.UserHandle; 37 import android.security.keystore.recovery.KeyChainProtectionParams; 38 import android.security.keystore.recovery.KeyChainSnapshot; 39 import android.security.keystore.recovery.RecoveryCertPath; 40 import android.security.keystore.recovery.RecoveryController; 41 import android.security.keystore.recovery.WrappedApplicationKey; 42 import android.util.ArrayMap; 43 import android.util.Log; 44 45 import com.android.internal.annotations.VisibleForTesting; 46 import com.android.internal.util.HexDump; 47 import com.android.server.locksettings.recoverablekeystore.certificate.CertParsingException; 48 import com.android.server.locksettings.recoverablekeystore.certificate.CertUtils; 49 import com.android.server.locksettings.recoverablekeystore.certificate.CertValidationException; 50 import com.android.server.locksettings.recoverablekeystore.certificate.CertXml; 51 import com.android.server.locksettings.recoverablekeystore.certificate.SigXml; 52 import com.android.server.locksettings.recoverablekeystore.storage.ApplicationKeyStorage; 53 import com.android.server.locksettings.recoverablekeystore.storage.CleanupManager; 54 import com.android.server.locksettings.recoverablekeystore.storage.RecoverableKeyStoreDb; 55 import com.android.server.locksettings.recoverablekeystore.storage.RecoverySessionStorage; 56 import com.android.server.locksettings.recoverablekeystore.storage.RecoverySnapshotStorage; 57 58 import java.io.IOException; 59 import java.security.InvalidKeyException; 60 import java.security.KeyStoreException; 61 import java.security.NoSuchAlgorithmException; 62 import java.security.PublicKey; 63 import java.security.SecureRandom; 64 import java.security.UnrecoverableKeyException; 65 import java.security.cert.CertPath; 66 import java.security.cert.CertificateEncodingException; 67 import java.security.cert.CertificateException; 68 import java.security.cert.X509Certificate; 69 import java.security.spec.InvalidKeySpecException; 70 import java.util.Arrays; 71 import java.util.HashMap; 72 import java.util.List; 73 import java.util.Locale; 74 import java.util.Map; 75 import java.util.Objects; 76 import java.util.concurrent.Executors; 77 import java.util.concurrent.ScheduledExecutorService; 78 import java.util.concurrent.TimeUnit; 79 80 import javax.crypto.AEADBadTagException; 81 82 /** 83 * Class with {@link RecoveryController} API implementation and internal methods to interact 84 * with {@code LockSettingsService}. 85 * 86 * @hide 87 */ 88 public class RecoverableKeyStoreManager { 89 private static final String TAG = "RecoverableKeyStoreMgr"; 90 private static final long SYNC_DELAY_MILLIS = 2000; 91 92 private static RecoverableKeyStoreManager mInstance; 93 94 private final Context mContext; 95 private final RecoverableKeyStoreDb mDatabase; 96 private final RecoverySessionStorage mRecoverySessionStorage; 97 private final ScheduledExecutorService mExecutorService; 98 private final RecoverySnapshotListenersStorage mListenersStorage; 99 private final RecoverableKeyGenerator mRecoverableKeyGenerator; 100 private final RecoverySnapshotStorage mSnapshotStorage; 101 private final PlatformKeyManager mPlatformKeyManager; 102 private final ApplicationKeyStorage mApplicationKeyStorage; 103 private final TestOnlyInsecureCertificateHelper mTestCertHelper; 104 private final CleanupManager mCleanupManager; 105 106 /** 107 * Returns a new or existing instance. 108 * 109 * @hide 110 */ 111 public static synchronized RecoverableKeyStoreManager getInstance(Context context)112 getInstance(Context context) { 113 if (mInstance == null) { 114 RecoverableKeyStoreDb db = RecoverableKeyStoreDb.newInstance(context); 115 PlatformKeyManager platformKeyManager; 116 ApplicationKeyStorage applicationKeyStorage; 117 try { 118 platformKeyManager = PlatformKeyManager.getInstance(context, db); 119 applicationKeyStorage = ApplicationKeyStorage.getInstance(); 120 } catch (NoSuchAlgorithmException e) { 121 // Impossible: all algorithms must be supported by AOSP 122 throw new RuntimeException(e); 123 } catch (KeyStoreException e) { 124 throw new ServiceSpecificException(ERROR_SERVICE_INTERNAL_ERROR, e.getMessage()); 125 } 126 127 RecoverySnapshotStorage snapshotStorage = 128 RecoverySnapshotStorage.newInstance(); 129 CleanupManager cleanupManager = CleanupManager.getInstance( 130 context.getApplicationContext(), 131 snapshotStorage, 132 db, 133 applicationKeyStorage); 134 mInstance = new RecoverableKeyStoreManager( 135 context.getApplicationContext(), 136 db, 137 new RecoverySessionStorage(), 138 Executors.newScheduledThreadPool(1), 139 snapshotStorage, 140 new RecoverySnapshotListenersStorage(), 141 platformKeyManager, 142 applicationKeyStorage, 143 new TestOnlyInsecureCertificateHelper(), 144 cleanupManager); 145 } 146 return mInstance; 147 } 148 149 @VisibleForTesting RecoverableKeyStoreManager( Context context, RecoverableKeyStoreDb recoverableKeyStoreDb, RecoverySessionStorage recoverySessionStorage, ScheduledExecutorService executorService, RecoverySnapshotStorage snapshotStorage, RecoverySnapshotListenersStorage listenersStorage, PlatformKeyManager platformKeyManager, ApplicationKeyStorage applicationKeyStorage, TestOnlyInsecureCertificateHelper testOnlyInsecureCertificateHelper, CleanupManager cleanupManager)150 RecoverableKeyStoreManager( 151 Context context, 152 RecoverableKeyStoreDb recoverableKeyStoreDb, 153 RecoverySessionStorage recoverySessionStorage, 154 ScheduledExecutorService executorService, 155 RecoverySnapshotStorage snapshotStorage, 156 RecoverySnapshotListenersStorage listenersStorage, 157 PlatformKeyManager platformKeyManager, 158 ApplicationKeyStorage applicationKeyStorage, 159 TestOnlyInsecureCertificateHelper testOnlyInsecureCertificateHelper, 160 CleanupManager cleanupManager) { 161 mContext = context; 162 mDatabase = recoverableKeyStoreDb; 163 mRecoverySessionStorage = recoverySessionStorage; 164 mExecutorService = executorService; 165 mListenersStorage = listenersStorage; 166 mSnapshotStorage = snapshotStorage; 167 mPlatformKeyManager = platformKeyManager; 168 mApplicationKeyStorage = applicationKeyStorage; 169 mTestCertHelper = testOnlyInsecureCertificateHelper; 170 mCleanupManager = cleanupManager; 171 // Clears data for removed users. 172 mCleanupManager.verifyKnownUsers(); 173 try { 174 mRecoverableKeyGenerator = RecoverableKeyGenerator.newInstance(mDatabase); 175 } catch (NoSuchAlgorithmException e) { 176 Log.wtf(TAG, "AES keygen algorithm not available. AOSP must support this.", e); 177 throw new ServiceSpecificException(ERROR_SERVICE_INTERNAL_ERROR, e.getMessage()); 178 } 179 } 180 181 /** 182 * Used by {@link #initRecoveryServiceWithSigFile(String, byte[], byte[])}. 183 */ 184 @VisibleForTesting initRecoveryService( @onNull String rootCertificateAlias, @NonNull byte[] recoveryServiceCertFile)185 void initRecoveryService( 186 @NonNull String rootCertificateAlias, @NonNull byte[] recoveryServiceCertFile) 187 throws RemoteException { 188 checkRecoverKeyStorePermission(); 189 int userId = UserHandle.getCallingUserId(); 190 int uid = Binder.getCallingUid(); 191 192 rootCertificateAlias 193 = mTestCertHelper.getDefaultCertificateAliasIfEmpty(rootCertificateAlias); 194 if (!mTestCertHelper.isValidRootCertificateAlias(rootCertificateAlias)) { 195 throw new ServiceSpecificException( 196 ERROR_INVALID_CERTIFICATE, "Invalid root certificate alias"); 197 } 198 // Always set active alias to the argument of the last call to initRecoveryService method, 199 // even if cert file is incorrect. 200 String activeRootAlias = mDatabase.getActiveRootOfTrust(userId, uid); 201 if (activeRootAlias == null) { 202 Log.d(TAG, "Root of trust for recovery agent + " + uid 203 + " is assigned for the first time to " + rootCertificateAlias); 204 } else if (!activeRootAlias.equals(rootCertificateAlias)) { 205 Log.i(TAG, "Root of trust for recovery agent " + uid + " is changed to " 206 + rootCertificateAlias + " from " + activeRootAlias); 207 } 208 long updatedRows = mDatabase.setActiveRootOfTrust(userId, uid, rootCertificateAlias); 209 if (updatedRows < 0) { 210 throw new ServiceSpecificException(ERROR_SERVICE_INTERNAL_ERROR, 211 "Failed to set the root of trust in the local DB."); 212 } 213 214 CertXml certXml; 215 try { 216 certXml = CertXml.parse(recoveryServiceCertFile); 217 } catch (CertParsingException e) { 218 Log.d(TAG, "Failed to parse the input as a cert file: " + HexDump.toHexString( 219 recoveryServiceCertFile)); 220 throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, e.getMessage()); 221 } 222 223 // Check serial number 224 long newSerial = certXml.getSerial(); 225 Long oldSerial = mDatabase.getRecoveryServiceCertSerial(userId, uid, rootCertificateAlias); 226 if (oldSerial != null && oldSerial >= newSerial 227 && !mTestCertHelper.isTestOnlyCertificateAlias(rootCertificateAlias)) { 228 if (oldSerial == newSerial) { 229 Log.i(TAG, "The cert file serial number is the same, so skip updating."); 230 } else { 231 Log.e(TAG, "The cert file serial number is older than the one in database."); 232 throw new ServiceSpecificException(ERROR_DOWNGRADE_CERTIFICATE, 233 "The cert file serial number is older than the one in database."); 234 } 235 return; 236 } 237 Log.i(TAG, "Updating the certificate with the new serial number " + newSerial); 238 239 // Randomly choose and validate an endpoint certificate from the list 240 CertPath certPath; 241 X509Certificate rootCert = 242 mTestCertHelper.getRootCertificate(rootCertificateAlias); 243 try { 244 Log.d(TAG, "Getting and validating a random endpoint certificate"); 245 certPath = certXml.getRandomEndpointCert(rootCert); 246 } catch (CertValidationException e) { 247 Log.e(TAG, "Invalid endpoint cert", e); 248 throw new ServiceSpecificException(ERROR_INVALID_CERTIFICATE, e.getMessage()); 249 } 250 251 // Save the chosen and validated certificate into database 252 try { 253 Log.d(TAG, "Saving the randomly chosen endpoint certificate to database"); 254 long updatedCertPathRows = mDatabase.setRecoveryServiceCertPath(userId, uid, 255 rootCertificateAlias, certPath); 256 if (updatedCertPathRows > 0) { 257 long updatedCertSerialRows = mDatabase.setRecoveryServiceCertSerial(userId, uid, 258 rootCertificateAlias, newSerial); 259 if (updatedCertSerialRows < 0) { 260 // Ideally CertPath and CertSerial should be updated together in single 261 // transaction, but since their mismatch doesn't create many problems 262 // extra complexity is unnecessary. 263 throw new ServiceSpecificException(ERROR_SERVICE_INTERNAL_ERROR, 264 "Failed to set the certificate serial number in the local DB."); 265 } 266 if (mDatabase.getSnapshotVersion(userId, uid) != null) { 267 mDatabase.setShouldCreateSnapshot(userId, uid, true); 268 Log.i(TAG, "This is a certificate change. Snapshot must be updated"); 269 } else { 270 Log.i(TAG, "This is a certificate change. Snapshot didn't exist"); 271 } 272 long updatedCounterIdRows = 273 mDatabase.setCounterId(userId, uid, new SecureRandom().nextLong()); 274 if (updatedCounterIdRows < 0) { 275 Log.e(TAG, "Failed to set the counter id in the local DB."); 276 } 277 } else if (updatedCertPathRows < 0) { 278 throw new ServiceSpecificException(ERROR_SERVICE_INTERNAL_ERROR, 279 "Failed to set the certificate path in the local DB."); 280 } 281 } catch (CertificateEncodingException e) { 282 Log.e(TAG, "Failed to encode CertPath", e); 283 throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, e.getMessage()); 284 } 285 } 286 287 /** 288 * Initializes the recovery service with the two files {@code recoveryServiceCertFile} and 289 * {@code recoveryServiceSigFile}. 290 * 291 * @param rootCertificateAlias the alias for the root certificate that is used for validating 292 * the recovery service certificates. 293 * @param recoveryServiceCertFile the content of the XML file containing a list of certificates 294 * for the recovery service. 295 * @param recoveryServiceSigFile the content of the XML file containing the public-key signature 296 * over the entire content of {@code recoveryServiceCertFile}. 297 */ initRecoveryServiceWithSigFile( @onNull String rootCertificateAlias, @NonNull byte[] recoveryServiceCertFile, @NonNull byte[] recoveryServiceSigFile)298 public void initRecoveryServiceWithSigFile( 299 @NonNull String rootCertificateAlias, @NonNull byte[] recoveryServiceCertFile, 300 @NonNull byte[] recoveryServiceSigFile) 301 throws RemoteException { 302 checkRecoverKeyStorePermission(); 303 rootCertificateAlias = 304 mTestCertHelper.getDefaultCertificateAliasIfEmpty(rootCertificateAlias); 305 Objects.requireNonNull(recoveryServiceCertFile, "recoveryServiceCertFile is null"); 306 Objects.requireNonNull(recoveryServiceSigFile, "recoveryServiceSigFile is null"); 307 308 SigXml sigXml; 309 try { 310 sigXml = SigXml.parse(recoveryServiceSigFile); 311 } catch (CertParsingException e) { 312 Log.d(TAG, "Failed to parse the sig file: " + HexDump.toHexString( 313 recoveryServiceSigFile)); 314 throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, e.getMessage()); 315 } 316 317 X509Certificate rootCert = 318 mTestCertHelper.getRootCertificate(rootCertificateAlias); 319 try { 320 sigXml.verifyFileSignature(rootCert, recoveryServiceCertFile); 321 } catch (CertValidationException e) { 322 Log.d(TAG, "The signature over the cert file is invalid." 323 + " Cert: " + HexDump.toHexString(recoveryServiceCertFile) 324 + " Sig: " + HexDump.toHexString(recoveryServiceSigFile)); 325 throw new ServiceSpecificException(ERROR_INVALID_CERTIFICATE, e.getMessage()); 326 } 327 328 initRecoveryService(rootCertificateAlias, recoveryServiceCertFile); 329 } 330 331 /** 332 * Gets all data necessary to recover application keys on new device. 333 * 334 * @return KeyChain Snapshot. 335 * @throws ServiceSpecificException if no snapshot is pending. 336 * @hide 337 */ getKeyChainSnapshot()338 public @NonNull KeyChainSnapshot getKeyChainSnapshot() 339 throws RemoteException { 340 checkRecoverKeyStorePermission(); 341 int uid = Binder.getCallingUid(); 342 KeyChainSnapshot snapshot = mSnapshotStorage.get(uid); 343 if (snapshot == null) { 344 throw new ServiceSpecificException(ERROR_NO_SNAPSHOT_PENDING); 345 } 346 return snapshot; 347 } 348 setSnapshotCreatedPendingIntent(@ullable PendingIntent intent)349 public void setSnapshotCreatedPendingIntent(@Nullable PendingIntent intent) 350 throws RemoteException { 351 checkRecoverKeyStorePermission(); 352 int uid = Binder.getCallingUid(); 353 mListenersStorage.setSnapshotListener(uid, intent); 354 } 355 356 /** 357 * Set the server params for the user's key chain. This is used to uniquely identify a key 358 * chain. Along with the counter ID, it is used to uniquely identify an instance of a vault. 359 */ setServerParams(@onNull byte[] serverParams)360 public void setServerParams(@NonNull byte[] serverParams) throws RemoteException { 361 checkRecoverKeyStorePermission(); 362 int userId = UserHandle.getCallingUserId(); 363 int uid = Binder.getCallingUid(); 364 365 byte[] currentServerParams = mDatabase.getServerParams(userId, uid); 366 367 if (Arrays.equals(serverParams, currentServerParams)) { 368 Log.v(TAG, "Not updating server params - same as old value."); 369 return; 370 } 371 372 long updatedRows = mDatabase.setServerParams(userId, uid, serverParams); 373 if (updatedRows < 0) { 374 throw new ServiceSpecificException( 375 ERROR_SERVICE_INTERNAL_ERROR, "Database failure trying to set server params."); 376 } 377 378 if (currentServerParams == null) { 379 Log.i(TAG, "Initialized server params."); 380 return; 381 } 382 383 if (mDatabase.getSnapshotVersion(userId, uid) != null) { 384 mDatabase.setShouldCreateSnapshot(userId, uid, true); 385 Log.i(TAG, "Updated server params. Snapshot must be updated"); 386 } else { 387 Log.i(TAG, "Updated server params. Snapshot didn't exist"); 388 } 389 } 390 391 /** 392 * Sets the recovery status of key with {@code alias} to {@code status}. 393 */ setRecoveryStatus(@onNull String alias, int status)394 public void setRecoveryStatus(@NonNull String alias, int status) throws RemoteException { 395 checkRecoverKeyStorePermission(); 396 Objects.requireNonNull(alias, "alias is null"); 397 long updatedRows = mDatabase.setRecoveryStatus(Binder.getCallingUid(), alias, status); 398 if (updatedRows < 0) { 399 throw new ServiceSpecificException( 400 ERROR_SERVICE_INTERNAL_ERROR, 401 "Failed to set the key recovery status in the local DB."); 402 } 403 } 404 405 /** 406 * Returns recovery statuses for all keys belonging to the calling uid. 407 * 408 * @return {@link Map} from key alias to recovery status. Recovery status is one of 409 * {@link RecoveryController#RECOVERY_STATUS_SYNCED}, 410 * {@link RecoveryController#RECOVERY_STATUS_SYNC_IN_PROGRESS} or 411 * {@link RecoveryController#RECOVERY_STATUS_PERMANENT_FAILURE}. 412 */ getRecoveryStatus()413 public @NonNull Map<String, Integer> getRecoveryStatus() throws RemoteException { 414 checkRecoverKeyStorePermission(); 415 return mDatabase.getStatusForAllKeys(Binder.getCallingUid()); 416 } 417 418 /** 419 * Sets recovery secrets list used by all recovery agents for given {@code userId} 420 * 421 * @hide 422 */ setRecoverySecretTypes( @onNull @eyChainProtectionParams.UserSecretType int[] secretTypes)423 public void setRecoverySecretTypes( 424 @NonNull @KeyChainProtectionParams.UserSecretType int[] secretTypes) 425 throws RemoteException { 426 checkRecoverKeyStorePermission(); 427 Objects.requireNonNull(secretTypes, "secretTypes is null"); 428 int userId = UserHandle.getCallingUserId(); 429 int uid = Binder.getCallingUid(); 430 431 int[] currentSecretTypes = mDatabase.getRecoverySecretTypes(userId, uid); 432 if (Arrays.equals(secretTypes, currentSecretTypes)) { 433 Log.v(TAG, "Not updating secret types - same as old value."); 434 return; 435 } 436 437 long updatedRows = mDatabase.setRecoverySecretTypes(userId, uid, secretTypes); 438 if (updatedRows < 0) { 439 throw new ServiceSpecificException(ERROR_SERVICE_INTERNAL_ERROR, 440 "Database error trying to set secret types."); 441 } 442 443 if (currentSecretTypes.length == 0) { 444 Log.i(TAG, "Initialized secret types."); 445 return; 446 } 447 448 Log.i(TAG, "Updated secret types. Snapshot pending."); 449 if (mDatabase.getSnapshotVersion(userId, uid) != null) { 450 mDatabase.setShouldCreateSnapshot(userId, uid, true); 451 Log.i(TAG, "Updated secret types. Snapshot must be updated"); 452 } else { 453 Log.i(TAG, "Updated secret types. Snapshot didn't exist"); 454 } 455 } 456 457 /** 458 * Gets secret types necessary to create Recovery Data. 459 * 460 * @return secret types 461 * @hide 462 */ getRecoverySecretTypes()463 public @NonNull int[] getRecoverySecretTypes() throws RemoteException { 464 checkRecoverKeyStorePermission(); 465 return mDatabase.getRecoverySecretTypes(UserHandle.getCallingUserId(), 466 Binder.getCallingUid()); 467 } 468 469 /** 470 * Initializes recovery session given the X509-encoded public key of the recovery service. 471 * 472 * @param sessionId A unique ID to identify the recovery session. 473 * @param verifierPublicKey X509-encoded public key. 474 * @param vaultParams Additional params associated with vault. 475 * @param vaultChallenge Challenge issued by vault service. 476 * @param secrets Lock-screen hashes. For now only a single secret is supported. 477 * @return Encrypted bytes of recovery claim. This can then be issued to the vault service. 478 * @deprecated Use {@link #startRecoverySessionWithCertPath(String, String, RecoveryCertPath, 479 * byte[], byte[], List)} instead. 480 * 481 * @hide 482 */ 483 @VisibleForTesting startRecoverySession( @onNull String sessionId, @NonNull byte[] verifierPublicKey, @NonNull byte[] vaultParams, @NonNull byte[] vaultChallenge, @NonNull List<KeyChainProtectionParams> secrets)484 @NonNull byte[] startRecoverySession( 485 @NonNull String sessionId, 486 @NonNull byte[] verifierPublicKey, 487 @NonNull byte[] vaultParams, 488 @NonNull byte[] vaultChallenge, 489 @NonNull List<KeyChainProtectionParams> secrets) 490 throws RemoteException { 491 checkRecoverKeyStorePermission(); 492 int uid = Binder.getCallingUid(); 493 494 if (secrets.size() != 1) { 495 throw new UnsupportedOperationException( 496 "Only a single KeyChainProtectionParams is supported"); 497 } 498 499 PublicKey publicKey; 500 try { 501 publicKey = KeySyncUtils.deserializePublicKey(verifierPublicKey); 502 } catch (InvalidKeySpecException e) { 503 throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, e.getMessage()); 504 } 505 // The raw public key bytes contained in vaultParams must match the ones given in 506 // verifierPublicKey; otherwise, the user secret may be decrypted by a key that is not owned 507 // by the original recovery service. 508 if (!publicKeysMatch(publicKey, vaultParams)) { 509 throw new ServiceSpecificException(ERROR_INVALID_CERTIFICATE, 510 "The public keys given in verifierPublicKey and vaultParams do not match."); 511 } 512 513 byte[] keyClaimant = KeySyncUtils.generateKeyClaimant(); 514 byte[] kfHash = secrets.get(0).getSecret(); 515 mRecoverySessionStorage.add( 516 uid, 517 new RecoverySessionStorage.Entry(sessionId, kfHash, keyClaimant, vaultParams)); 518 519 Log.i(TAG, "Received VaultParams for recovery: " + HexDump.toHexString(vaultParams)); 520 try { 521 byte[] thmKfHash = KeySyncUtils.calculateThmKfHash(kfHash); 522 return KeySyncUtils.encryptRecoveryClaim( 523 publicKey, 524 vaultParams, 525 vaultChallenge, 526 thmKfHash, 527 keyClaimant); 528 } catch (NoSuchAlgorithmException e) { 529 Log.wtf(TAG, "SecureBox algorithm missing. AOSP must support this.", e); 530 throw new ServiceSpecificException(ERROR_SERVICE_INTERNAL_ERROR, e.getMessage()); 531 } catch (InvalidKeyException e) { 532 throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, e.getMessage()); 533 } 534 } 535 536 /** 537 * Initializes recovery session given the certificate path of the recovery service. 538 * 539 * @param sessionId A unique ID to identify the recovery session. 540 * @param verifierCertPath The certificate path of the recovery service. 541 * @param vaultParams Additional params associated with vault. 542 * @param vaultChallenge Challenge issued by vault service. 543 * @param secrets Lock-screen hashes. For now only a single secret is supported. 544 * @return Encrypted bytes of recovery claim. This can then be issued to the vault service. 545 * 546 * @hide 547 */ startRecoverySessionWithCertPath( @onNull String sessionId, @NonNull String rootCertificateAlias, @NonNull RecoveryCertPath verifierCertPath, @NonNull byte[] vaultParams, @NonNull byte[] vaultChallenge, @NonNull List<KeyChainProtectionParams> secrets)548 public @NonNull byte[] startRecoverySessionWithCertPath( 549 @NonNull String sessionId, 550 @NonNull String rootCertificateAlias, 551 @NonNull RecoveryCertPath verifierCertPath, 552 @NonNull byte[] vaultParams, 553 @NonNull byte[] vaultChallenge, 554 @NonNull List<KeyChainProtectionParams> secrets) 555 throws RemoteException { 556 checkRecoverKeyStorePermission(); 557 rootCertificateAlias = 558 mTestCertHelper.getDefaultCertificateAliasIfEmpty(rootCertificateAlias); 559 Objects.requireNonNull(sessionId, "invalid session"); 560 Objects.requireNonNull(verifierCertPath, "verifierCertPath is null"); 561 Objects.requireNonNull(vaultParams, "vaultParams is null"); 562 Objects.requireNonNull(vaultChallenge, "vaultChallenge is null"); 563 Objects.requireNonNull(secrets, "secrets is null"); 564 CertPath certPath; 565 try { 566 certPath = verifierCertPath.getCertPath(); 567 } catch (CertificateException e) { 568 throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, e.getMessage()); 569 } 570 571 try { 572 CertUtils.validateCertPath( 573 mTestCertHelper.getRootCertificate(rootCertificateAlias), certPath); 574 } catch (CertValidationException e) { 575 Log.e(TAG, "Failed to validate the given cert path", e); 576 throw new ServiceSpecificException(ERROR_INVALID_CERTIFICATE, e.getMessage()); 577 } 578 579 byte[] verifierPublicKey = certPath.getCertificates().get(0).getPublicKey().getEncoded(); 580 if (verifierPublicKey == null) { 581 Log.e(TAG, "Failed to encode verifierPublicKey"); 582 throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, 583 "Failed to encode verifierPublicKey"); 584 } 585 586 return startRecoverySession( 587 sessionId, verifierPublicKey, vaultParams, vaultChallenge, secrets); 588 } 589 590 /** 591 * Invoked by a recovery agent after a successful recovery claim is sent to the remote vault 592 * service. 593 * 594 * @param sessionId The session ID used to generate the claim. See 595 * {@link #startRecoverySession(String, byte[], byte[], byte[], List)}. 596 * @param encryptedRecoveryKey The encrypted recovery key blob returned by the remote vault 597 * service. 598 * @param applicationKeys The encrypted key blobs returned by the remote vault service. These 599 * were wrapped with the recovery key. 600 * @throws RemoteException if an error occurred recovering the keys. 601 */ recoverKeyChainSnapshot( @onNull String sessionId, @NonNull byte[] encryptedRecoveryKey, @NonNull List<WrappedApplicationKey> applicationKeys)602 public @NonNull Map<String, String> recoverKeyChainSnapshot( 603 @NonNull String sessionId, 604 @NonNull byte[] encryptedRecoveryKey, 605 @NonNull List<WrappedApplicationKey> applicationKeys) throws RemoteException { 606 checkRecoverKeyStorePermission(); 607 int userId = UserHandle.getCallingUserId(); 608 int uid = Binder.getCallingUid(); 609 RecoverySessionStorage.Entry sessionEntry = mRecoverySessionStorage.get(uid, sessionId); 610 if (sessionEntry == null) { 611 throw new ServiceSpecificException(ERROR_SESSION_EXPIRED, 612 String.format(Locale.US, 613 "Application uid=%d does not have pending session '%s'", 614 uid, 615 sessionId)); 616 } 617 618 try { 619 byte[] recoveryKey = decryptRecoveryKey(sessionEntry, encryptedRecoveryKey); 620 Map<String, byte[]> keysByAlias = recoverApplicationKeys(recoveryKey, 621 applicationKeys); 622 return importKeyMaterials(userId, uid, keysByAlias); 623 } catch (KeyStoreException e) { 624 throw new ServiceSpecificException(ERROR_SERVICE_INTERNAL_ERROR, e.getMessage()); 625 } finally { 626 sessionEntry.destroy(); 627 mRecoverySessionStorage.remove(uid); 628 } 629 } 630 631 /** 632 * Imports the key materials, returning a map from alias to grant alias for the calling user. 633 * 634 * @param userId The calling user ID. 635 * @param uid The calling uid. 636 * @param keysByAlias The key materials, keyed by alias. 637 * @throws KeyStoreException if an error occurs importing the key or getting the grant. 638 */ importKeyMaterials( int userId, int uid, Map<String, byte[]> keysByAlias)639 private @NonNull Map<String, String> importKeyMaterials( 640 int userId, int uid, Map<String, byte[]> keysByAlias) 641 throws KeyStoreException { 642 ArrayMap<String, String> grantAliasesByAlias = new ArrayMap<>(keysByAlias.size()); 643 for (String alias : keysByAlias.keySet()) { 644 mApplicationKeyStorage.setSymmetricKeyEntry(userId, uid, alias, keysByAlias.get(alias)); 645 String grantAlias = getAlias(userId, uid, alias); 646 Log.i(TAG, String.format(Locale.US, "Import %s -> %s", alias, grantAlias)); 647 grantAliasesByAlias.put(alias, grantAlias); 648 } 649 return grantAliasesByAlias; 650 } 651 652 /** 653 * Returns an alias for the key. 654 * 655 * @param userId The user ID of the calling process. 656 * @param uid The uid of the calling process. 657 * @param alias The alias of the key. 658 * @return The alias in the calling process's keystore. 659 */ getAlias(int userId, int uid, String alias)660 private @Nullable String getAlias(int userId, int uid, String alias) { 661 return mApplicationKeyStorage.getGrantAlias(userId, uid, alias); 662 } 663 664 /** 665 * Destroys the session with the given {@code sessionId}. 666 */ closeSession(@onNull String sessionId)667 public void closeSession(@NonNull String sessionId) throws RemoteException { 668 checkRecoverKeyStorePermission(); 669 Objects.requireNonNull(sessionId, "invalid session"); 670 mRecoverySessionStorage.remove(Binder.getCallingUid(), sessionId); 671 } 672 removeKey(@onNull String alias)673 public void removeKey(@NonNull String alias) throws RemoteException { 674 checkRecoverKeyStorePermission(); 675 Objects.requireNonNull(alias, "alias is null"); 676 int uid = Binder.getCallingUid(); 677 int userId = UserHandle.getCallingUserId(); 678 679 boolean wasRemoved = mDatabase.removeKey(uid, alias); 680 if (wasRemoved) { 681 mDatabase.setShouldCreateSnapshot(userId, uid, true); 682 mApplicationKeyStorage.deleteEntry(userId, uid, alias); 683 } 684 } 685 686 /** 687 * Generates a key named {@code alias} in caller's namespace. 688 * The key is stored in system service keystore namespace. 689 * 690 * @param alias the alias provided by caller as a reference to the key. 691 * @return grant alias, which caller can use to access the key. 692 * @throws RemoteException if certain internal errors occur. 693 * 694 * @deprecated Use {@link #generateKeyWithMetadata(String, byte[])} instead. 695 */ 696 @Deprecated generateKey(@onNull String alias)697 public String generateKey(@NonNull String alias) throws RemoteException { 698 return generateKeyWithMetadata(alias, /*metadata=*/ null); 699 } 700 701 /** 702 * Generates a key named {@code alias} with the {@code metadata} in caller's namespace. 703 * The key is stored in system service keystore namespace. 704 * 705 * @param alias the alias provided by caller as a reference to the key. 706 * @param metadata the optional metadata blob that will authenticated (but unencrypted) together 707 * with the key material when the key is uploaded to cloud. 708 * @return grant alias, which caller can use to access the key. 709 * @throws RemoteException if certain internal errors occur. 710 */ generateKeyWithMetadata(@onNull String alias, @Nullable byte[] metadata)711 public String generateKeyWithMetadata(@NonNull String alias, @Nullable byte[] metadata) 712 throws RemoteException { 713 checkRecoverKeyStorePermission(); 714 Objects.requireNonNull(alias, "alias is null"); 715 int uid = Binder.getCallingUid(); 716 int userId = UserHandle.getCallingUserId(); 717 718 PlatformEncryptionKey encryptionKey; 719 try { 720 encryptionKey = mPlatformKeyManager.getEncryptKey(userId); 721 } catch (NoSuchAlgorithmException e) { 722 // Impossible: all algorithms must be supported by AOSP 723 throw new RuntimeException(e); 724 } catch (KeyStoreException | UnrecoverableKeyException | IOException e) { 725 throw new ServiceSpecificException(ERROR_SERVICE_INTERNAL_ERROR, e.getMessage()); 726 } 727 728 try { 729 byte[] secretKey = mRecoverableKeyGenerator.generateAndStoreKey(encryptionKey, userId, 730 uid, alias, metadata); 731 mApplicationKeyStorage.setSymmetricKeyEntry(userId, uid, alias, secretKey); 732 return getAlias(userId, uid, alias); 733 } catch (KeyStoreException | InvalidKeyException | RecoverableKeyStorageException e) { 734 throw new ServiceSpecificException(ERROR_SERVICE_INTERNAL_ERROR, e.getMessage()); 735 } 736 } 737 738 /** 739 * Imports a 256-bit AES-GCM key named {@code alias}. The key is stored in system service 740 * keystore namespace. 741 * 742 * @param alias the alias provided by caller as a reference to the key. 743 * @param keyBytes the raw bytes of the 256-bit AES key. 744 * @return grant alias, which caller can use to access the key. 745 * @throws RemoteException if the given key is invalid or some internal errors occur. 746 * 747 * @deprecated Use {{@link #importKeyWithMetadata(String, byte[], byte[])}} instead. 748 * 749 * @hide 750 */ 751 @Deprecated importKey(@onNull String alias, @NonNull byte[] keyBytes)752 public @Nullable String importKey(@NonNull String alias, @NonNull byte[] keyBytes) 753 throws RemoteException { 754 return importKeyWithMetadata(alias, keyBytes, /*metadata=*/ null); 755 } 756 757 /** 758 * Imports a 256-bit AES-GCM key named {@code alias} with the given {@code metadata}. The key is 759 * stored in system service keystore namespace. 760 * 761 * @param alias the alias provided by caller as a reference to the key. 762 * @param keyBytes the raw bytes of the 256-bit AES key. 763 * @param metadata the metadata to be authenticated (but unencrypted) together with the key. 764 * @return grant alias, which caller can use to access the key. 765 * @throws RemoteException if the given key is invalid or some internal errors occur. 766 * 767 * @hide 768 */ importKeyWithMetadata(@onNull String alias, @NonNull byte[] keyBytes, @Nullable byte[] metadata)769 public @Nullable String importKeyWithMetadata(@NonNull String alias, @NonNull byte[] keyBytes, 770 @Nullable byte[] metadata) throws RemoteException { 771 checkRecoverKeyStorePermission(); 772 Objects.requireNonNull(alias, "alias is null"); 773 Objects.requireNonNull(keyBytes, "keyBytes is null"); 774 if (keyBytes.length != RecoverableKeyGenerator.KEY_SIZE_BITS / Byte.SIZE) { 775 Log.e(TAG, "The given key for import doesn't have the required length " 776 + RecoverableKeyGenerator.KEY_SIZE_BITS); 777 throw new ServiceSpecificException(ERROR_INVALID_KEY_FORMAT, 778 "The given key does not contain " + RecoverableKeyGenerator.KEY_SIZE_BITS 779 + " bits."); 780 } 781 782 int uid = Binder.getCallingUid(); 783 int userId = UserHandle.getCallingUserId(); 784 785 PlatformEncryptionKey encryptionKey; 786 try { 787 encryptionKey = mPlatformKeyManager.getEncryptKey(userId); 788 } catch (NoSuchAlgorithmException e) { 789 // Impossible: all algorithms must be supported by AOSP 790 throw new RuntimeException(e); 791 } catch (KeyStoreException | UnrecoverableKeyException | IOException e) { 792 throw new ServiceSpecificException(ERROR_SERVICE_INTERNAL_ERROR, e.getMessage()); 793 } 794 795 try { 796 // Wrap the key by the platform key and store the wrapped key locally 797 mRecoverableKeyGenerator.importKey(encryptionKey, userId, uid, alias, keyBytes, 798 metadata); 799 800 // Import the key to Android KeyStore and get grant 801 mApplicationKeyStorage.setSymmetricKeyEntry(userId, uid, alias, keyBytes); 802 return getAlias(userId, uid, alias); 803 } catch (KeyStoreException | InvalidKeyException | RecoverableKeyStorageException e) { 804 throw new ServiceSpecificException(ERROR_SERVICE_INTERNAL_ERROR, e.getMessage()); 805 } 806 } 807 808 /** 809 * Gets a key named {@code alias} in caller's namespace. 810 * 811 * @return grant alias, which caller can use to access the key. 812 */ getKey(@onNull String alias)813 public @Nullable String getKey(@NonNull String alias) throws RemoteException { 814 checkRecoverKeyStorePermission(); 815 Objects.requireNonNull(alias, "alias is null"); 816 int uid = Binder.getCallingUid(); 817 int userId = UserHandle.getCallingUserId(); 818 return getAlias(userId, uid, alias); 819 } 820 decryptRecoveryKey( RecoverySessionStorage.Entry sessionEntry, byte[] encryptedClaimResponse)821 private byte[] decryptRecoveryKey( 822 RecoverySessionStorage.Entry sessionEntry, byte[] encryptedClaimResponse) 823 throws RemoteException, ServiceSpecificException { 824 byte[] locallyEncryptedKey; 825 try { 826 locallyEncryptedKey = KeySyncUtils.decryptRecoveryClaimResponse( 827 sessionEntry.getKeyClaimant(), 828 sessionEntry.getVaultParams(), 829 encryptedClaimResponse); 830 } catch (InvalidKeyException e) { 831 Log.e(TAG, "Got InvalidKeyException during decrypting recovery claim response", e); 832 throw new ServiceSpecificException(ERROR_DECRYPTION_FAILED, 833 "Failed to decrypt recovery key " + e.getMessage()); 834 } catch (AEADBadTagException e) { 835 Log.e(TAG, "Got AEADBadTagException during decrypting recovery claim response", e); 836 throw new ServiceSpecificException(ERROR_DECRYPTION_FAILED, 837 "Failed to decrypt recovery key " + e.getMessage()); 838 } catch (NoSuchAlgorithmException e) { 839 // Should never happen: all the algorithms used are required by AOSP implementations 840 throw new ServiceSpecificException(ERROR_SERVICE_INTERNAL_ERROR, e.getMessage()); 841 } 842 843 try { 844 return KeySyncUtils.decryptRecoveryKey(sessionEntry.getLskfHash(), locallyEncryptedKey); 845 } catch (InvalidKeyException e) { 846 Log.e(TAG, "Got InvalidKeyException during decrypting recovery key", e); 847 throw new ServiceSpecificException(ERROR_DECRYPTION_FAILED, 848 "Failed to decrypt recovery key " + e.getMessage()); 849 } catch (AEADBadTagException e) { 850 Log.e(TAG, "Got AEADBadTagException during decrypting recovery key", e); 851 throw new ServiceSpecificException(ERROR_DECRYPTION_FAILED, 852 "Failed to decrypt recovery key " + e.getMessage()); 853 } catch (NoSuchAlgorithmException e) { 854 // Should never happen: all the algorithms used are required by AOSP implementations 855 throw new ServiceSpecificException(ERROR_SERVICE_INTERNAL_ERROR, e.getMessage()); 856 } 857 } 858 859 /** 860 * Uses {@code recoveryKey} to decrypt {@code applicationKeys}. 861 * 862 * @return Map from alias to raw key material. 863 * @throws RemoteException if an error occurred decrypting the keys. 864 */ recoverApplicationKeys(@onNull byte[] recoveryKey, @NonNull List<WrappedApplicationKey> applicationKeys)865 private @NonNull Map<String, byte[]> recoverApplicationKeys(@NonNull byte[] recoveryKey, 866 @NonNull List<WrappedApplicationKey> applicationKeys) throws RemoteException { 867 HashMap<String, byte[]> keyMaterialByAlias = new HashMap<>(); 868 for (WrappedApplicationKey applicationKey : applicationKeys) { 869 String alias = applicationKey.getAlias(); 870 byte[] encryptedKeyMaterial = applicationKey.getEncryptedKeyMaterial(); 871 byte[] keyMetadata = applicationKey.getMetadata(); 872 873 try { 874 byte[] keyMaterial = KeySyncUtils.decryptApplicationKey(recoveryKey, 875 encryptedKeyMaterial, keyMetadata); 876 keyMaterialByAlias.put(alias, keyMaterial); 877 } catch (NoSuchAlgorithmException e) { 878 Log.wtf(TAG, "Missing SecureBox algorithm. AOSP required to support this.", e); 879 throw new ServiceSpecificException( 880 ERROR_SERVICE_INTERNAL_ERROR, e.getMessage()); 881 } catch (InvalidKeyException e) { 882 Log.e(TAG, "Got InvalidKeyException during decrypting application key with alias: " 883 + alias, e); 884 throw new ServiceSpecificException(ERROR_DECRYPTION_FAILED, 885 "Failed to recover key with alias '" + alias + "': " + e.getMessage()); 886 } catch (AEADBadTagException e) { 887 Log.e(TAG, "Got AEADBadTagException during decrypting application key with alias: " 888 + alias, e); 889 // Ignore the exception to continue to recover the other application keys. 890 } 891 } 892 if (!applicationKeys.isEmpty() && keyMaterialByAlias.isEmpty()) { 893 Log.e(TAG, "Failed to recover any of the application keys."); 894 throw new ServiceSpecificException(ERROR_DECRYPTION_FAILED, 895 "Failed to recover any of the application keys."); 896 } 897 return keyMaterialByAlias; 898 } 899 900 /** 901 * This function can only be used inside LockSettingsService. 902 * 903 * @param storedHashType from {@code CredentialHash} 904 * @param credential - unencrypted byte array. Password length should be at most 16 symbols 905 * {@code mPasswordMaxLength} 906 * @param userId for user who just unlocked the device. 907 * @hide 908 */ lockScreenSecretAvailable( int storedHashType, @NonNull byte[] credential, int userId)909 public void lockScreenSecretAvailable( 910 int storedHashType, @NonNull byte[] credential, int userId) { 911 // So as not to block the critical path unlocking the phone, defer to another thread. 912 try { 913 mExecutorService.schedule(KeySyncTask.newInstance( 914 mContext, 915 mDatabase, 916 mSnapshotStorage, 917 mListenersStorage, 918 userId, 919 storedHashType, 920 credential, 921 /*credentialUpdated=*/ false), 922 SYNC_DELAY_MILLIS, 923 TimeUnit.MILLISECONDS 924 ); 925 } catch (NoSuchAlgorithmException e) { 926 Log.wtf(TAG, "Should never happen - algorithm unavailable for KeySync", e); 927 } catch (KeyStoreException e) { 928 Log.e(TAG, "Key store error encountered during recoverable key sync", e); 929 } catch (InsecureUserException e) { 930 Log.wtf(TAG, "Impossible - insecure user, but user just entered lock screen", e); 931 } 932 } 933 934 /** 935 * This function can only be used inside LockSettingsService. 936 * 937 * @param storedHashType from {@code CredentialHash} 938 * @param credential - unencrypted byte array 939 * @param userId for the user whose lock screen credentials were changed. 940 * @hide 941 */ lockScreenSecretChanged( int storedHashType, @Nullable byte[] credential, int userId)942 public void lockScreenSecretChanged( 943 int storedHashType, 944 @Nullable byte[] credential, 945 int userId) { 946 // So as not to block the critical path unlocking the phone, defer to another thread. 947 try { 948 mExecutorService.schedule(KeySyncTask.newInstance( 949 mContext, 950 mDatabase, 951 mSnapshotStorage, 952 mListenersStorage, 953 userId, 954 storedHashType, 955 credential, 956 /*credentialUpdated=*/ true), 957 SYNC_DELAY_MILLIS, 958 TimeUnit.MILLISECONDS 959 ); 960 } catch (NoSuchAlgorithmException e) { 961 Log.wtf(TAG, "Should never happen - algorithm unavailable for KeySync", e); 962 } catch (KeyStoreException e) { 963 Log.e(TAG, "Key store error encountered during recoverable key sync", e); 964 } catch (InsecureUserException e) { 965 Log.e(TAG, "InsecureUserException during lock screen secret update", e); 966 } 967 } 968 checkRecoverKeyStorePermission()969 private void checkRecoverKeyStorePermission() { 970 mContext.enforceCallingOrSelfPermission( 971 Manifest.permission.RECOVER_KEYSTORE, 972 "Caller " + Binder.getCallingUid() + " doesn't have RecoverKeyStore permission."); 973 int userId = UserHandle.getCallingUserId(); 974 int uid = Binder.getCallingUid(); 975 mCleanupManager.registerRecoveryAgent(userId, uid); 976 } 977 publicKeysMatch(PublicKey publicKey, byte[] vaultParams)978 private boolean publicKeysMatch(PublicKey publicKey, byte[] vaultParams) { 979 byte[] encodedPublicKey = SecureBox.encodePublicKey(publicKey); 980 return Arrays.equals(encodedPublicKey, Arrays.copyOf(vaultParams, encodedPublicKey.length)); 981 } 982 } 983